Looking for an Extension? Have an Extension request? Post your request here for help. (Note: This forum is community supported; while there is an Extensions Development Team, said team does not dedicate itself to handling requests in this forum)

I am not sure what "privacy law" an IP address need to comply to but after six months most IP addresses will not be an issue as they will be well out of date and there is actually an argument that IP addresses should be retained as an audit trail.

DavidRemember: You only know what you know and - you don't know what you don't know!My CDB Contributions | How to install an extensionI will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.No support requests via PM or email as they will be ignored

However, in the EU there are strict privacy laws, and users have the right to demand their "personal information" to be deleted - IP addresses belong to personal information according to a couple of lawsuits that have been filed during the last few years. As you may know, unfortunately in such cases, it's usually small website hosters like me who get threatened with lawsuits and receive lawyer's blackmailing letters (with fee payment forms attached) if we're not complying with existing legal fine-print by 100% while fartbook, Google & Co. don't.

If an extension (or such a feature) existed, I could extend the privacy declaration on my board that - let's say, after 3 months - IP addresses are automatically anonymized, so no user could cause me any trouble if he wants to 'leave' and have 'all his information deleted'. The posts could remain in the board as they usually don't contain identifiable information, he/she could "anonymize" his/her email address (by changing it to a non-existing one, thus disabling his own access to the board) and his IP would be anonymized after a couple more weeks anyway.

cheers, r.

Last edited by richey on Tue Jun 06, 2017 1:51 pm, edited 2 times in total.

if he wants to 'leave' and have 'all his information deleted'. The posts could remain in the board as they usually don't contain identifiable information, he/she could "anonymize" his/her email address (by changing it to a non-existing one, thus disabling his own access to the board) and his IP would be anonymized after a couple more weeks anyway.

It would be simpler to delete that user completely, and leave their posts behind. Then their Email address is gone.

if he wants to 'leave' and have 'all his information deleted'. The posts could remain in the board as they usually don't contain identifiable information, he/she could "anonymize" his/her email address (by changing it to a non-existing one, thus disabling his own access to the board) and his IP would be anonymized after a couple more weeks anyway.

It would be simpler to delete that user completely, and leave their posts behind. Then their Email address is gone.

As a webmaster/forum hoster, I'd really prefer to be able to 'forget' about such things by informing users beforehand that their IP's are 'safe' on my board (instead of having to clean up everything by hand on request), and save time when someone wants to have their private information deleted.

That report specifically states that unless there is sufficient other data present with the IP address to identify a user then it does not fall within the scope of the EU data privacy laws.

In standard phpBB there is no other "personal" data that can be used in conjunction with a user's IP address that could be used to identify them - now if you have other "add ons" that add that data then the issue is with the add on.

DavidRemember: You only know what you know and - you don't know what you don't know!My CDB Contributions | How to install an extensionI will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.No support requests via PM or email as they will be ignored

In many board (including mine) it has come to the practice to suggest users to "anonymize" their account by entering a crazy email address and changing the password (so they won't be able to access it anymore by themselves as well).
That way, posts can remain in the forum (which is prefered by forum hosters in most cases), but the user's real email address is detached from the account (which is what most users are actually interested in when asking for their account to be 'deleted': to avoid potential spam). So the IP from the posts table remains linked to the account (and it could theoretically be used to track a user or reveal his real identity), although that would hardly cause any harm.

it could theoretically be used to track a user or reveal his real identity

Please explain how this can be done within standard phpBB

DavidRemember: You only know what you know and - you don't know what you don't know!My CDB Contributions | How to install an extensionI will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.No support requests via PM or email as they will be ignored

I agree with the OP that board owner should be able to anonymize IP's, There is very seldom a need to store the posters IP for the whole lifetime of a post and it's against the "need to know"-principle.
With standard phpBB, it's quite easy to find out the IP the post was made from, the ISP where that IP belongs to (via whois service) and maybe (if it is a static IP) eg. the company network. It's just in the post information area, giving "IP", "posts made from this IP", "Other IP used by the user", all IPs with a link to the whois service.

Apart from that, there are some legal calls for "telecommunications data retention", which often affects ISPs, but normal board owners should very seldom have legal needs to store communications data eternally.

For a limited period it is useful to check session keys, or to identify multiple accounts from one user (there may be other usecases as well). But storing the data forever is not very useful and maybe against the law in some country or against board owners principles